CRITICAL🇵🇱 Wersja polska

CVE-2024-40489

CVSS 9.8v3.1pub. 2026-04-01upd. 2026-04-06

There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP requests.

🤖 AI Analysis
How it works

The vulnerability consists of overly liberal filtering of special characters in input data transmitted via HTTP. The attacker sends a specially crafted HTTP request containing a malicious payload that is not properly sanitized by the application. As a result, the payload reaches the code execution component, resulting in execution of arbitrary instructions on the server side (RCE).

Impact

An attacker can remotely and without authentication execute arbitrary code on the server with application privileges, which may lead to complete system compromise, data breach, and violation of service integrity and availability.

Mitigation & patch

Apply patches available from the vendor according to the references. Immediate update of Jeecg Boot to a version higher than 3.5.3 is recommended. Until the patch is implemented, it is recommended to restrict application access exclusively to trusted networks or IP addresses and monitor logs for suspicious HTTP requests.

Who is affected

Jeecg Boot in versions 3.0.0 to 3.5.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jeecg Boot

    APP
    Jeecg
    3.0 – 3.5.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-43028CRITICAL9.8PL ✓ten sam produkt

Command injection w Jeecg Boot — zdalne wykonanie kodu przez /jmreport/show

CVE-2024-48307CRITICAL9.8PL ✓ten sam produkt

SQL Injection w JeecgBoot przez endpoint getTotalData

CVE-2023-41543CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych

CVE-2023-41542CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych

CVE-2023-41544CRITICAL9.8PL ✓ten sam produkt

RCE poprzez SSTI injection w Jeecg Boot — komponent /jmreport/loadTableData